All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110
@ 2020-10-21  7:44 Chris Packham
  2020-10-22 13:43 ` Thomas Petazzoni
  0 siblings, 1 reply; 5+ messages in thread
From: Chris Packham @ 2020-10-21  7:44 UTC (permalink / raw)
  To: buildroot

This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been
updated.

Signed-off-by: Chris Packham <judge.packham@gmail.com>
---
 package/syslog-ng/syslog-ng.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/syslog-ng.mk
index 7c2368efba..8587da746a 100644
--- a/package/syslog-ng/syslog-ng.mk
+++ b/package/syslog-ng/syslog-ng.mk
@@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES
 SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \
 	--disable-java --disable-java-modules --disable-mongodb
 
+# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database is not
+# aware of the fix, ignore it
+SYSLOG_NG_IGNORE_CVES += CVE-2008-5110
+
 ifeq ($(BR2_PACKAGE_GEOIP),y)
 SYSLOG_NG_DEPENDENCIES += geoip
 SYSLOG_NG_CONF_OPTS += --enable-geoip
-- 
2.28.0

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110
  2020-10-21  7:44 [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110 Chris Packham
@ 2020-10-22 13:43 ` Thomas Petazzoni
  2020-11-02  6:54   ` Chris Packham
  0 siblings, 1 reply; 5+ messages in thread
From: Thomas Petazzoni @ 2020-10-22 13:43 UTC (permalink / raw)
  To: buildroot

Hello Chris,

On Wed, 21 Oct 2020 20:44:24 +1300
Chris Packham <judge.packham@gmail.com> wrote:

> This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been
> updated.
> 
> Signed-off-by: Chris Packham <judge.packham@gmail.com>
> ---
>  package/syslog-ng/syslog-ng.mk | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/syslog-ng.mk
> index 7c2368efba..8587da746a 100644
> --- a/package/syslog-ng/syslog-ng.mk
> +++ b/package/syslog-ng/syslog-ng.mk
> @@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES
>  SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \
>  	--disable-java --disable-java-modules --disable-mongodb
>  
> +# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database is not
> +# aware of the fix, ignore it
> +SYSLOG_NG_IGNORE_CVES += CVE-2008-5110

But as proposed over e-mail separately, the proper fix is to modify the
NVD database. Have you had the chance to report the issue to the NVD
database maintainers ?

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110
  2020-10-22 13:43 ` Thomas Petazzoni
@ 2020-11-02  6:54   ` Chris Packham
  2020-11-11  7:22     ` Chris Packham
  0 siblings, 1 reply; 5+ messages in thread
From: Chris Packham @ 2020-11-02  6:54 UTC (permalink / raw)
  To: buildroot

Hi Thomas,

On Fri, Oct 23, 2020 at 2:43 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello Chris,
>
> On Wed, 21 Oct 2020 20:44:24 +1300
> Chris Packham <judge.packham@gmail.com> wrote:
>
> > This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been
> > updated.
> >
> > Signed-off-by: Chris Packham <judge.packham@gmail.com>
> > ---
> >  package/syslog-ng/syslog-ng.mk | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/syslog-ng.mk
> > index 7c2368efba..8587da746a 100644
> > --- a/package/syslog-ng/syslog-ng.mk
> > +++ b/package/syslog-ng/syslog-ng.mk
> > @@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES
> >  SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \
> >       --disable-java --disable-java-modules --disable-mongodb
> >
> > +# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database is not
> > +# aware of the fix, ignore it
> > +SYSLOG_NG_IGNORE_CVES += CVE-2008-5110
>
> But as proposed over e-mail separately, the proper fix is to modify the
> NVD database. Have you had the chance to report the issue to the NVD
> database maintainers ?
>

Sorry for taking so long to get back. I have reported the issue.
Apparently I should be getting an email with a ticket number but no
sign of it yet.

> Thanks!
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110
  2020-11-02  6:54   ` Chris Packham
@ 2020-11-11  7:22     ` Chris Packham
  2020-11-14  4:17       ` Chris Packham
  0 siblings, 1 reply; 5+ messages in thread
From: Chris Packham @ 2020-11-11  7:22 UTC (permalink / raw)
  To: buildroot

On Mon, Nov 2, 2020 at 7:54 PM Chris Packham <judge.packham@gmail.com> wrote:
>
> Hi Thomas,
>
> On Fri, Oct 23, 2020 at 2:43 AM Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> wrote:
> >
> > Hello Chris,
> >
> > On Wed, 21 Oct 2020 20:44:24 +1300
> > Chris Packham <judge.packham@gmail.com> wrote:
> >
> > > This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been
> > > updated.
> > >
> > > Signed-off-by: Chris Packham <judge.packham@gmail.com>
> > > ---
> > >  package/syslog-ng/syslog-ng.mk | 4 ++++
> > >  1 file changed, 4 insertions(+)
> > >
> > > diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/syslog-ng.mk
> > > index 7c2368efba..8587da746a 100644
> > > --- a/package/syslog-ng/syslog-ng.mk
> > > +++ b/package/syslog-ng/syslog-ng.mk
> > > @@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES
> > >  SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \
> > >       --disable-java --disable-java-modules --disable-mongodb
> > >
> > > +# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database is not
> > > +# aware of the fix, ignore it
> > > +SYSLOG_NG_IGNORE_CVES += CVE-2008-5110
> >
> > But as proposed over e-mail separately, the proper fix is to modify the
> > NVD database. Have you had the chance to report the issue to the NVD
> > database maintainers ?
> >
>
> Sorry for taking so long to get back. I have reported the issue.
> Apparently I should be getting an email with a ticket number but no
> sign of it yet.
>

They've bumped me on to secalert at redhat.com so we'll see ow that goes.

> > Thanks!
> >
> > Thomas
> > --
> > Thomas Petazzoni, CTO, Bootlin
> > Embedded Linux and Kernel engineering
> > https://bootlin.com

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110
  2020-11-11  7:22     ` Chris Packham
@ 2020-11-14  4:17       ` Chris Packham
  0 siblings, 0 replies; 5+ messages in thread
From: Chris Packham @ 2020-11-14  4:17 UTC (permalink / raw)
  To: buildroot

On Wed, 11 Nov 2020, 8:22 PM Chris Packham, <judge.packham@gmail.com> wrote:

> On Mon, Nov 2, 2020 at 7:54 PM Chris Packham <judge.packham@gmail.com>
> wrote:
> >
> > Hi Thomas,
> >
> > On Fri, Oct 23, 2020 at 2:43 AM Thomas Petazzoni
> > <thomas.petazzoni@bootlin.com> wrote:
> > >
> > > Hello Chris,
> > >
> > > On Wed, 21 Oct 2020 20:44:24 +1300
> > > Chris Packham <judge.packham@gmail.com> wrote:
> > >
> > > > This as fixed in syslog-ng 2.0.10 but the NVD database hasn't been
> > > > updated.
> > > >
> > > > Signed-off-by: Chris Packham <judge.packham@gmail.com>
> > > > ---
> > > >  package/syslog-ng/syslog-ng.mk | 4 ++++
> > > >  1 file changed, 4 insertions(+)
> > > >
> > > > diff --git a/package/syslog-ng/syslog-ng.mk b/package/syslog-ng/
> syslog-ng.mk
> > > > index 7c2368efba..8587da746a 100644
> > > > --- a/package/syslog-ng/syslog-ng.mk
> > > > +++ b/package/syslog-ng/syslog-ng.mk
> > > > @@ -17,6 +17,10 @@ SYSLOG_NG_AUTORECONF = YES
> > > >  SYSLOG_NG_CONF_OPTS = --disable-manpages --localstatedir=/var/run \
> > > >       --disable-java --disable-java-modules --disable-mongodb
> > > >
> > > > +# CVE-2008-5110 was fixed in syslog-ng 2.0.10 but the NVD database
> is not
> > > > +# aware of the fix, ignore it
> > > > +SYSLOG_NG_IGNORE_CVES += CVE-2008-5110
> > >
> > > But as proposed over e-mail separately, the proper fix is to modify the
> > > NVD database. Have you had the chance to report the issue to the NVD
> > > database maintainers ?
> > >
> >
> > Sorry for taking so long to get back. I have reported the issue.
> > Apparently I should be getting an email with a ticket number but no
> > sign of it yet.
> >
>
> They've bumped me on to secalert at redhat.com so we'll see how that goes.
>

Looks like the text has been updated to say that the vulnerability affects
versions up to 2.0.9 but the cpe info hasn't been updated yet.

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20201114/4901126c/attachment.html>

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-11-14  4:17 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-21  7:44 [Buildroot] [PATCH] package/syslog-ng: Ignore CVE-2008-5110 Chris Packham
2020-10-22 13:43 ` Thomas Petazzoni
2020-11-02  6:54   ` Chris Packham
2020-11-11  7:22     ` Chris Packham
2020-11-14  4:17       ` Chris Packham

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.